news191220

FFT news digest Dec 20 2019

Watching every move

Facebook has admitted it can and does track your location even if you've told it not to. Yes - that's one of the reasons you're seeing adverts for a place you visited even if you didn't use Facebook while you were there. In a letter to two US Senators, Facebook said, "When location services is off, Facebook may still understand people’s locations using information people share through their activities on Facebook or through IP addresses and other network connections they use." The platform can also deduce someone's location from their general patterns of behaviour, location tags in photos, and from friends' activity. This week detailed EU research explains the tracking carried out by Netflix, Amazon and Spotify - and compares EU and US experiences. And the New York Times has an excellent overview of the extraordinary extent to which our smartphones are watching every move we make.

Passwords

It's that most wonderful time of the year when security companies publish their lists of the worst passwords we're using. Despite the ritualistic warnings of people like us, things like '12345' and '123456' continue to reign supreme, closely followed by 'qwerty' and 'password'. We're the first to admit that passwords are broken, but unfortunately they're still a fundamental part of securing our online life, and criminals are making vast profits from our tendency to re-use them. Alternatives to passwords exist, but are being adopted slowly because, while they're more secure, they're slightly harder to use and organisations worry they will put off new users. There's no shortage of advice about what a safe password should be (our own guide is here). But the fact that each one should be unique means the only safe solution is a password manager. They're not expensive. They might even make a last-minute stocking filler...

Ring

Amazon's Ring camera lacks basic security features, making it too easy to hack. That's the conclusion of an analysis by Motherboard in the wake of multiple reports of hackers harassing people through Ring devices. "Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services," Motherboard says. In response to the series of hacks, Ring said it was up to users to "follow best-security practices." As Motherboard points out, "people using mass-market consumer devices aren't going to know or implement robust security measures at all times." To compound the problem, BuzzFeed says credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names given to specific cameras.

Insider risk

Courtesy of Facebook comes a classic illustration of the risks of portable storage. Bloomberg reports that several unencrypted hard drives with the personal information of 29,000 employees were stolen from a car belonging to a member of the payroll department. "We have taken appropriate disciplinary action," a spokeswoman said. That's not much use to the employees whose banking details are on the stolen drives. Like every other organisation, Facebook will have strict rules about the use of portable storage but this incident demonstrates that rules are only useful if people follow them...and too often they don't. Facebook's experience is a reminder of the importance of awareness training - but it also underlines the need for organisations to have an ongoing conversation about security, and the potential impact of ignoring it.

Data transfers

The latest step in a closely-watched legal process has resulted in qualified support for the use of Standard Contractual Clauses (SCCs) to govern the export of personal data from the EU. In a non-binding opinion, the adviser to Europe's top court, the CJEU, said SCCs are legally valid, but transfers should be halted in cases where compliance with them cannot be guaranteed. In a highly nuanced document, the adviser also rehearsed some of the concerns over the 'Privacy Shield' which is the alternative legal basis for data transfers to the US. The opinion is the latest step in a convoluted battle over a complaint by privacy activist, Max Schrems, about Facebook's use of SCCs to govern the transfer of user data to the US. Schrems' argument is that US legislation means the privacy of users cannot be guaranteed. The CJEU is expected to make a ruling in the case early next year.

Phishing advice

Phishing emails are a menace, and they're becoming more sophisticated and more effective. Now, an Amnesty International researcher has published data on 100,000 phishing attacks in an effort to help people avoid being hacked. Claudio Guarnieri says 2019 saw phishing tactics evolve and mutate, with a resurgence of traditional forms as well as new variations designed to bypass two-factor authentication. This is a good week to be particularly cautious with emails, especially anything offering "too good to be true" holiday shopping deals. One of the key techniques used in phishing is to send emails when we're busy and distracted - and few times of the year fit that definition better than the run-up to Christmas. And Kaspersky warns against being tempted by illegal streams of the latest Star Wars instalment. It found 30 fraudulent websites and social media profiles disguised as official movie accounts offering free copies of the 'Star Wars: The Rise of Skywalker'.

In brief

Not for the first time, serious security issues have been found in pre-installed software on Acer and ASUS computers. SafeBreach said the programs affected include Acer Quick Access and Asus ATK package. The latest versions include fixes for the issues.

A financial adviser in the US has been fined after falling for a scam and transferring $511,870 from a client's account. The now-ex UBS Vice-President failed to follow procedures and check with the client before making the transfer.

A reminder if you've used Zynga's Words with Friends or Draw Something games. Your password is probably among 173 million which were stolen and stored with weak protection. It's crucial you don't use that password anywhere else.

Criminals behind the Maze ransomware have come up with another way to extort money from their victims. Security journalist, Brian Krebs, reports that they're now threatening to publish data stolen from the organisations they've attacked.

Do protect your accounts for bike and scooter rental services. Lime user details are being sold on Dark Web forums, according to Motherboard.

Instagram is to expand its limited fact-checking test next year, but politicians will be exempt. Facebook said content rated false or partly false would be labeled as such.

Updates

Microsoft: Note security update to address a vulnerability in SharePoint Server which could be exploited to obtain sensitive information. Patch was released last week but advisory wasn't included with the other announcements.

Chrome: Much unhappiness among the 15% of users who took the Chrome 79 update which promptly caused the disappearance of data stored by some web applications. Google withdrew the update and says it's now fixed.

TP-Link: Important update to address issue discovered by IBM Security Intelligence. If exploited, the vulnerability could allow a remote attacker to take control of the router’s configuration. The issue is considered critical since it can grant an unauthorized third-party access to the router with admin privileges, which are the default on this device for all users, without proper authentication taking place.

WordPress: Version 5.3.1 addresses four security issues.

Tails: Version 4.1.1 fixes a problem when starting Tails 4.1 on some Mac computers. If Tails 4.1 starts successfully on your computer, you don't need to upgrade.

Barco: Firmware updates for wireless presentation solutions, CS-100 and CSE-200. These provide partial fixes for security vulnerabilities identified by F-Secure.

Zimbra: Patch 5 released for Zimbra 8.8.15 “James Prescott Joule” GA release.